Open yardenshafir opened 1 year ago
odzhan
commented
1 year ago Hello Yarden :)
I intend to update all the injection PoCs soon because I realise some of them may not work anymore as a result of changes in structures such as those you mentioned with WNF. I'm sure there are others too, so I'll need to test them all again and fix the ones that no longer work. If you have any details of new structures for WNF, i'd be grateful for any help.
Thank you.
yardenshafir
commented
1 year ago Absolutely! The main relevant difference is that the names _LIST_ENTRY became _RTL_BALANCED_NODE, and there are a couple more ULONG fields before the RetryDescriptor (though I'm not sure that matters much in this case since it's not used for injection). If I have some time next week I'll open a PR updating the structure and changing the list search to a tree search, I'll also update which build this changed in :)
In Windows 10/11 the NamesTableEntry of the WNF_SUBSCRIPTION_TABLE isn't a list anymore, instead it's a tree. Handling should be adjusted based on the system build (not sure exactly what build that changed in, will check and update here).